Ask any security practitioner about ransomware nowadays, and chances are good you’ll get an earful. Recent outbreaks like Petya and WannaCry have left organizations around the world reeling, and statistics show that ransomware is on the rise generally.

For example, 62 percent of participants surveyed for ISACA’s recent “Global State of Cybersecurity” survey experienced a ransomware attack in 2016, and 53 percent had a formal process to deal with it. While ransomware is already a big deal, it is set to become an even bigger deal down the road.

One of the questions organizations ask is what steps they can take to keep themselves protected. Specifically, what can organizations do to make sure that their organization is prepared, protected and resilient in the face of an outbreak?

A strategy that can work successfully is the long-tested “tabletop exercise” — that is, conducting a carefully crafted simulation (in this case, a ransomware situation) to test organizational response processes and validate that all critical elements are accounted for during planning.

This strategy works particularly well for ransomware because it encourages direct, frank and open discussions about a key area that is often a point of contention during an incident: the ransom itself.

What Is a Tabletop Exercise?

Invariably, in the context of an actual ransomware incident, someone will suggest paying the ransom. Sometimes it’s a business team that sees the ransom as a small price to pay to get critical activities back on track. In other cases, it might be executives who are eager to defer what is likely to be a long and protracted disruption to operations. Either way, paying the ransom can seem compelling when the pressure is on and adrenaline is high.

However, most law enforcement and security professionals agree that there are potential downsides to paying the ransom. First, there is the possibility that attackers won’t honor their end of the deal. A victim might pay them but lose its data anyway. Even if the attacker should follow through, there is the danger of creating a perception that the organization is a soft touch, which could induce attackers to retarget it down the road.

An organization might make a decision when feeling ransomware pressure that it would not make when thinking it through calmly in the abstract. That is why working through the issues ahead of time can be valuable.